Professional Documents
Culture Documents
CHAPTER I
General Provisions
SECTION 1.
Act of 2012".
SECTION 2.
Declaration of Policy. It is the policy of the State to
protect the fundamental human right of privacy of communication while ensuring free
flow of information to promote innovation and growth. The State recognizes the vital
role of information and communications technology in nation-building and its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and
protected.
TSCIEa
SECTION 3.
Definition of Terms. Whenever used in this Act, the
following terms shall have the respective meanings hereafter set forth:
Copyright 2016
(a)
(b)
(d)
(e)
(f)
(g)
(h)
(1)
Copyright 2016
(i)
(j)
(k)
(l)
(2)
(3)
(4)
SECTION 4.
Copyright 2016
personal information and to any natural and juridical person involved in personal
information processing including those personal information controllers and
processors who, although not found or established in the Philippines, use equipment
that are located in the Philippines, or those who maintain an office, branch or agency
in the Philippines subject to the immediately succeeding paragraph: Provided, That
the requirements of Section 5 are complied with.
This Act does not apply to the following:
(a)
Copyright 2016
(2)
(3)
(4)
(b)
(c)
(d)
(e)
(g)
SECTION 5.
Protection Afforded to Journalists and Their Sources.
Nothing in this Act shall be construed as to have amended or repealed the provisions
of Republic Act No. 53, which affords the publishers, editors or duly accredited
reporters of any newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or information
appearing in said publication which was related in any confidence to such publisher,
editor, or reporter.
SECTION 6.
Extraterritorial Application. This Act applies to an act
done or practice engaged in and outside of the Philippines by an entity if:
Copyright 2016
(a)
(b)
The entity has a link with the Philippines, and the entity is
processing personal information in the Philippines or even if the
processing is outside the Philippines as long as it is about
Philippine citizens or residents such as, but not limited to, the
following:
(c)
(1)
(2)
(3)
The entity has other links in the Philippines such as, but not limited
to:
(1)
(2)
SECTION 7.
Functions of the National Privacy Commission. To
administer and implement the provisions of this Act, and to monitor and ensure
compliance of the country with international standards set for data protection, there is
hereby created an independent body to be known as the National Privacy
Commission, which shall have the following functions:
Copyright 2016
(a)
(b)
Copyright 2016
(c)
(d)
(e)
(f)
(g)
(h)
(i)
(j)
(l)
(m)
(n)
(o)
(p)
(q)
SECTION 8.
Confidentiality. The Commission shall ensure at all
times the confidentiality of any personal information that comes to its knowledge and
possession.
HEcSDa
SECTION 9.
Organizational Structure of the Commission. The
Commission shall be attached to the Department of Information and Communications
Technology (DICT)
and shall be headed by a Privacy Commissioner, who shall
Copyright 2016
also act as Chairman of the Commission. The Privacy Commissioner shall be assisted
by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing
Systems and one to be responsible for Policies and Planning. The Privacy
Commissioner and the two (2) Deputy Privacy Commissioners shall be appointed by
the President of the Philippines for a term of three (3) years, and may be reappointed
for another term of three (3) years. Vacancies in the Commission shall be filled in the
same manner in which the original appointment was made.
The Privacy Commissioner must be at least thirty-five (35) years of age and of
good moral character, unquestionable integrity and known probity, and a recognized
expert in the field of information technology and data privacy. The Privacy
Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the
rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of
information and communications technology and data privacy. They shall enjoy the
benefits, privileges and emoluments equivalent to the rank of Undersecretary.
The Privacy Commissioner, the Deputy Commissioners, or any person acting
on their behalf or under their direction, shall not be civilly liable for acts done in good
faith in the performance of their duties. However, he or she shall be liable for willful
or negligent acts done by him or her which are contrary to law, morals, public policy
and good customs even if he or she acted under orders or instructions of superiors:
Provided, That in case a lawsuit is filed against such official on the subject of the
performance of his or her duties, where such performance is lawful, he or she shall be
reimbursed by the Commission for reasonable costs of litigation.
SECTION 10.
The Secretariat. The Commission is hereby authorized
to establish a Secretariat. Majority of the members of the Secretariat must have served
for at least five (5) years in any agency of the government that is involved in the
processing of personal information including, but not limited to, the following offices:
Social Security System (SSS), Government Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health
Insurance Corporation (PhilHealth), Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine
Postal Corporation (Philpost).
CHAPTER III
Processing of Personal Information
Copyright 2016
SECTION 11.
General Data Privacy Principles. The processing of
personal information shall be allowed, subject to compliance with the requirements of
this Act and other laws allowing disclosure of information to the public and
adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must be:
(a)
(b)
(c)
(d)
(e)
(f)
10
prohibited by law, and when at least one of the following conditions exists:
(a)
(b)
(c)
(d)
(e)
(f)
SECTION 13.
Sensitive Personal Information and Privileged Information.
The processing of sensitive personal information and privileged information shall
be prohibited, except in the following cases:
Copyright 2016
(a)
The data subject has given his or her consent, specific to the
purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent
prior to processing;
(b)
11
(d)
(e)
(f)
SECTION 14.
Subcontract of Personal Information. A personal
information controller may subcontract the processing of personal information:
Provided, That the personal information controller shall be responsible for ensuring
that proper safeguards are in place to ensure the confidentiality of the personal
information processed, prevent its use for unauthorized purposes, and generally,
comply with the requirements of this Act and other laws for processing of personal
information. The personal information processor shall comply with all the
requirements of this Act and other applicable laws.
SECTION 15.
Extension of Privileged Communication. Personal
information controllers may invoke the principle of privileged communication over
privileged information that they lawfully control or process. Subject to existing laws
Copyright 2016
12
to:
(a)
(b)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
13
(d)
Copyright 2016
(2)
(3)
(4)
(5)
(6)
(7)
(8)
14
(f)
SECTION 17.
Transmissibility of Rights of the Data Subject. The
lawful heirs and assigns of the data subject may invoke the rights of the data subject
for, which he or she is an heir or assignee at any time after the death of the data
subject or when the data subject is incapacitated or incapable of exercising the rights
as enumerated in the immediately preceding section.
SECTION 18.
Right to Data Portability. The data subject shall have the
right, where personal information is processed by electronic means and in a structured
and commonly used format, to obtain from the personal information controller a copy
of data undergoing processing in an electronic or structured format, which is
commonly used and allows for further use by the data subject. The Commission may
specify the electronic format referred to above, as well as the technical standards,
modalities and procedures for their transfer.
SECTION 19.
Non-Applicability. The immediately preceding sections
are not applicable if the processed personal information are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried out
and no decisions are taken regarding the data subject: Provided, That the personal
information shall be held under strict confidentiality and shall be used only for the
declared purpose. Likewise, the immediately preceding sections are not applicable to
Copyright 2016
15
(c) The determination of the appropriate level of security under this section
must take into account the nature of the personal information to be protected, the risks
represented by the processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of security
implementation. Subject to guidelines as the Commission may issue from time to
time, the measures implemented must include:
Copyright 2016
(1)
(2)
(3)
(4)
16
(d) The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security measures
required by this provision.
(e) The employees, agents or representatives of a personal information
controller who are involved in the processing of personal information shall operate
and hold personal information under strict confidentiality if the personal information
are not intended for public disclosure. This obligation shall continue even after
leaving the public service, transfer to another position or upon termination of
employment or contractual relations.
(f) The personal information controller shall promptly notify the
Commission and affected data subjects when sensitive personal information or other
information that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes that such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any affected data
subject. The notification shall at least describe the nature of the breach, the sensitive
personal information possibly involved, and the measures taken by the entity to
address the breach. Notification may be delayed only to the extent necessary to
determine the scope of the breach, to prevent further disclosures, or to restore
reasonable integrity to the information and communications system.
(1)
(2)
(3)
Copyright 2016
17
SECTION 21.
Principle of Accountability. Each personal information
controller is responsible for personal information under its control or custody,
including information that have been transferred to a third party for processing,
whether domestically or internationally, subject to cross-border arrangement and
cooperation.
(a)
(b)
SECTION 22.
Responsibility of Heads of Agencies. All sensitive
personal information maintained by the government, its agencies and instrumentalities
shall be secured, as far as practicable, with the use of the most appropriate standard
recognized by the information and communications technology industry, and as
recommended by the Commission. The head of each government agency or
instrumentality shall be responsible for complying with the security requirements
mentioned herein while the Commission shall monitor the compliance and may
recommend the necessary action in order to satisfy the minimum standards.
SECTION 23.
Requirements Relating to Access by Agency Personnel to
Sensitive Personal Information. (a) On-site and Online Access Except as may
be allowed through guidelines to be issued by the Commission, no employee of the
government shall have access to sensitive personal information on government
property or through online facilities unless the employee has received a security
clearance from the head of the source agency.
(b) Off-site Access Unless otherwise provided in guidelines to be issued
by the Commission, sensitive personal information maintained by an agency may not
be transported or accessed from a location off government property unless a request
for such transportation or access is submitted and approved by the head of the agency
Copyright 2016
18
(2)
(3)
The requirements of this subsection shall be implemented not later than six (6)
months after the date of the enactment of this Act.
SECTION 24.
Applicability to Government Contractors. In entering
into any contract that may involve accessing or requiring sensitive personal
information from one thousand (1,000) or more individuals, an agency shall require a
contractor and its employees to register their personal information processing system
with the Commission in accordance with this Act and to comply with the other
provisions of this Act including the immediately preceding section, in the same
manner as agencies and government employees comply with such requirements.
CHAPTER VIII
Penalties
SECTION 25.
Unauthorized Processing of Personal Information and
Sensitive Personal Information. (a) The unauthorized processing of personal
information shall be penalized by imprisonment ranging from one (1) year to three (3)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who
process personal information without the consent of the data subject, or without being
authorized under this Act or any existing law.
AaITCH
Copyright 2016
19
20
21
agents, who discloses to a third party personal information not covered by the
immediately preceding section without the consent of the data subject, shall be
subject to imprisonment ranging from one (1) year to three (3) years and a fine of not
less than Five hundred thousand pesos (Php500,000.00) but not more than One
million pesos (Php1,000,000.00).
(b) Any personal information controller or personal information processor or
any of its officials, employees or agents, who discloses to a third party sensitive
personal information not covered by the immediately preceding section without the
consent of the data subject, shall be subject to imprisonment ranging from three (3)
years to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
SECTION 33.
Combination or Series of Acts. Any combination or
series of acts as defined in Sections 25 to 32 shall make the person subject to
imprisonment ranging from three (3) years to six (6) years and a fine of not less than
One million pesos (Php1,000,000.00) but not more than Five million pesos
(Php5,000,000.00).
SCaTAc
SECTION 34.
Extent of Liability. If the offender is a corporation,
partnership or any juridical person, the penalty shall be imposed upon the responsible
officers, as the case may be, who participated in, or by their gross negligence, allowed
the commission of the crime. If the offender is a juridical person, the court may
suspend or revoke any of its rights under this Act. If the offender is an alien, he or she
shall, in addition to the penalties herein prescribed, be deported without further
proceedings after serving the penalties prescribed. If the offender is a public official
or employee and he or she is found guilty of acts penalized under Sections 27 and 28
of this Act, he or she shall, in addition to the penalties prescribed herein, suffer
perpetual or temporary absolute disqualification from office, as the case may be.
SECTION 35.
Large-Scale. The maximum penalty in the scale of
penalties respectively provided for the preceding offenses shall be imposed when the
personal information of at least one hundred (100) persons is harmed, affected or
involved as the result of the abovementioned actions.
SECTION 36.
Offense Committed by Public Officer. When the offender
or the person responsible for the offense is a public officer as defined in the
Administrative Code of the Philippines in the exercise of his or her duties, an
accessory penalty consisting in the disqualification to occupy public office for a term
double the term of criminal penalty imposed shall be applied.
Copyright 2016
22
SECTION 37.
Restitution. Restitution for any aggrieved party shall be
governed by the provisions of the New Civil Code.
CHAPTER IX
Miscellaneous Provisions
SECTION 38.
Interpretation. Any doubt in the interpretation of any
provision of this Act shall be liberally interpreted in a manner mindful of the rights
and interests of the individual about whom personal information is processed.
SECTION 39.
Implementing Rules and Regulations (IRR). Within
ninety (90) days from the effectivity of this Act, the Commission shall promulgate the
rules and regulations to effectively implement the provisions of this Act.
SECTION 40.
Reports and Information. The Commission shall
annually report to the President and Congress on its activities in carrying out the
provisions of this Act. The Commission shall undertake whatever efforts it may
determine to be necessary or appropriate to inform and educate the public of data
privacy, data protection and fair information rights and responsibilities.
SECTION 41.
Appropriations Clause. The Commission shall be
provided with an initial appropriation of Twenty million pesos (Php20,000,000.00) to
be drawn from the national government. Appropriations for the succeeding years shall
be included in the General Appropriations Act. It shall likewise receive Ten million
pesos (Php10,000,000.00) per year for five (5) years upon implementation of this Act
drawn from the national government.
SECTION 42.
Transitory Provision. Existing industries, businesses and
offices affected by the implementation of this Act shall be given one (1) year
transitory period from the effectivity of the IRR or such other period as may be
determined by the Commission, to comply with the requirements of this Act.
In case that the DICT has not yet been created by the time the law takes full
force and effect, the National Privacy Commission shall be attached to the Office of
the President.
SECTION 43.
Separability Clause. If any provision or part hereof is
held invalid or unconstitutional, the remainder of the law or the provision not
otherwise affected shall remain valid and subsisting.
Copyright 2016
23
SECTION 44.
Repealing Clause. The provision of Section 7 of
Republic Act No. 9372, otherwise known as the "Human Security Act of 2007", is
hereby amended. Except as otherwise expressly provided in this Act, all other laws,
decrees, executive orders, proclamations and administrative regulations or parts
thereof inconsistent herewith are hereby repealed or modified accordingly.
SECTION 45.
Effectivity Clause. This Act shall take effect fifteen (15)
days after its publication in at least two (2) national newspapers of general circulation.
Approved: August 15, 2012.
Published in The Philippine Star on August 24, 2012.
Copyright 2016
24